package com.cqs.example.io.serial.attack;

import java.io.*;

/**
 * https://blog.csdn.net/m0_38103658/article/details/100581450
 *
 * @Author lixw
 * @Date 7/21/20 8:40 AM
 */
public class FixObjectInputSteam extends ObjectInputStream {

    public FixObjectInputSteam(InputStream in) throws IOException {
        super(in);
    }

    protected FixObjectInputSteam() throws IOException, SecurityException {
    }

    @Override
    protected Class resolveClass(ObjectStreamClass desc) throws IOException,ClassNotFoundException {

        //设置白名单 也可以设置黑名单
        if (!desc.getName().equals(SerObj.class.getName())) {
            throw new InvalidClassException(
                    "Unauthorized deserialization attempt", desc.getName());
        }
        return super.resolveClass(desc);
    }
}
